@karpeleslab/teamclaude 1.0.6 → 1.0.8

package/src/request-log.js

@@ -0,0 +1,194 @@
+// Per-request logging for the MITM relay (parity with the reverse-proxy path's
+// --log-to). One tap per CONNECT/connection (h2 stream ids restart per
+// connection, so taps must not be shared).
+//
+// Logs STREAM to disk as the request/response flow: the file is opened and the
+// request head written the moment headers arrive, and every body chunk is
+// appended as it is relayed. JSON bodies are pretty-printed on the fly via a
+// streaming state machine (src/json-format-stream.js) — never buffered whole,
+// so even ~1M-token bodies cost only the current chunk, and a request that
+// blocks mid-stream leaves its partial (readable) body on disk so you can see
+// exactly how far it got. Auth/x-api-key are masked. No size caps.
+
+import { createWriteStream } from 'node:fs';
+import { mkdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import { JsonStreamFormatter } from './json-format-stream.js';
+
+let seq = 0; // module-global so filenames are unique across connections
+
+function maskValue(name, val) {
+  const n = name.toLowerCase();
+  if (n === 'authorization') return val.slice(0, 20) + '...';
+  if (n === 'x-api-key') return val.slice(0, 15) + '...';
+  return val;
+}
+
+function fmtFields(fields, { pseudo = true } = {}) {
+  return fields
+    .filter((f) => pseudo || !f.name.toString().startsWith(':'))
+    .map((f) => { const n = f.name.toString(); return `  ${n}: ${maskValue(n, f.value.toString())}`; })
+    .join('\n');
+}
+
+function get(fields, name) {
+  const f = fields.find((x) => x.name.toString() === name);
+  return f ? f.value.toString() : '';
+}
+
+function maskHeadText(text) {
+  return text.split('\r\n').map((line) => {
+    const lower = line.toLowerCase();
+    if (lower.startsWith('authorization:')) return 'authorization: ' + line.slice(14).trim().slice(0, 20) + '...';
+    if (lower.startsWith('x-api-key:')) return 'x-api-key: ...';
+    return line;
+  }).join('\r\n');
+}
+
+// content-type from an h2 field list / an h1 head text (lowercased, or '').
+function ctOfFields(fields) {
+  const f = fields.find((x) => x.name.toString().toLowerCase() === 'content-type');
+  return f ? f.value.toString().toLowerCase() : '';
+}
+function ctOfHead(text) {
+  const line = text.split('\r\n').find((l) => l.toLowerCase().startsWith('content-type:'));
+  return line ? line.slice(line.indexOf(':') + 1).trim().toLowerCase() : '';
+}
+
+function stamp() {
+  const d = new Date();
+  const p = (n, w = 2) => String(n).padStart(w, '0');
+  return `${d.getFullYear()}${p(d.getMonth() + 1)}${p(d.getDate())}_${p(d.getHours())}${p(d.getMinutes())}${p(d.getSeconds())}.${p(d.getMilliseconds(), 3)}`;
+}
+
+// Tracks how one direction's body is written: decide formatter-vs-raw on the
+// first chunk (event-stream → raw; otherwise pretty-print if it looks like JSON,
+// i.e. the first non-whitespace byte is { or [). Writes the section header once.
+export class BodyWriter {
+  constructor(write, label, contentType) {
+    this.write = write;
+    this.label = label;
+    this.isStream = /event-stream/.test(contentType);
+    this.decided = false;
+    this.fmt = null;
+    this.headerWritten = false;
+  }
+  chunk(buf) {
+    if (!buf.length) return;
+    if (!this.headerWritten) { this.write(`\n\n=== ${this.label} ===\n`); this.headerWritten = true; }
+    if (!this.decided) {
+      const first = buf.toString('latin1').trimStart()[0];
+      if (!this.isStream && (first === '{' || first === '[')) this.fmt = new JsonStreamFormatter();
+      this.decided = true;
+    }
+    this.write(this.fmt ? this.fmt.push(buf) : buf.toString('latin1'));
+  }
+}
+
+export function makeMitmTap(logDir, accountName = '') {
+  if (!logDir) return null;
+  mkdir(logDir, { recursive: true }).catch(() => {});
+  const recs = new Map();
+
+  function open() {
+    const file = join(logDir, `${stamp()}_mitm_${String(++seq).padStart(5, '0')}.log`);
+    const ws = createWriteStream(file, { flags: 'a' });
+    ws.on('error', () => {});
+    return ws;
+  }
+
+  function rec(id) {
+    let r = recs.get(id);
+    if (!r) {
+      r = { ws: open(), reqBody: null, resBody: null, ended: false };
+      // Write strings as latin1 so a body's original bytes (which the formatter
+      // and raw path pass through 1:1 as latin1) round-trip exactly — writing as
+      // utf8 would re-encode bytes >127 and corrupt non-ASCII content.
+      r.write = (s) => { if (!r.ended && s) r.ws.write(Buffer.from(String(s), 'latin1')); };
+      recs.set(id, r);
+    }
+    return r;
+  }
+
+  return {
+    req(id, fields) {
+      const r = rec(id);
+      r.write(`=== REQUEST (h2${accountName ? `, account: ${accountName}` : ''}) ===\n${get(fields, ':method')} ${get(fields, ':path')}\n${fmtFields(fields, { pseudo: false })}`);
+      r.reqBody = new BodyWriter(r.write, 'REQUEST BODY', ctOfFields(fields));
+    },
+    reqHead(id, text) {
+      const r = rec(id);
+      r.write(`=== REQUEST (h1${accountName ? `, account: ${accountName}` : ''}) ===\n${maskHeadText(text).trimEnd()}`);
+      r.reqBody = new BodyWriter(r.write, 'REQUEST BODY', ctOfHead(text));
+    },
+    reqData(id, buf) { rec(id).reqBody?.chunk(buf); },
+    res(id, fields) {
+      const r = rec(id);
+      r.write(`\n\n=== RESPONSE ${get(fields, ':status')} ===\n${fmtFields(fields, { pseudo: false })}`);
+      r.resBody = new BodyWriter(r.write, 'RESPONSE BODY', ctOfFields(fields));
+    },
+    resHead(id, text) {
+      const r = rec(id);
+      const status = (text.split('\r\n')[0].split(' ')[1]) || '';
+      r.write(`\n\n=== RESPONSE ${status} (h1) ===\n${maskHeadText(text).trimEnd()}`);
+      r.resBody = new BodyWriter(r.write, 'RESPONSE BODY', ctOfHead(text));
+    },
+    resData(id, buf) { rec(id).resBody?.chunk(buf); },
+    end(id) {
+      const r = recs.get(id);
+      if (!r) return;
+      recs.delete(id);
+      if (!r.ended) { r.ended = true; r.ws.end('\n'); }
+    },
+  };
+}
+
+let activitySeq = 0; // module-global so TUI ids are unique across MITM connections
+
+// A tap (same interface as makeMitmTap) that, instead of writing to disk,
+// translates each relayed request's lifecycle into the server's TUI hooks —
+// so MITM traffic shows up in the live activity feed like reverse-proxy traffic.
+// Relay-local ids (h2 stream ids / h1 request ids restart per connection) are
+// mapped to globally-unique string ids ("m<n>") so they never collide with the
+// reverse-proxy's numeric ids or with each other across connections.
+export function makeActivityTap(hooks, accountName = '') {
+  if (!hooks || (!hooks.onRequestStart && !hooks.onRequestEnd)) return null;
+  const ids = new Map(); // relay-local id -> { gid, method, path, status }
+
+  function start(localId, method, path) {
+    const gid = `m${++activitySeq}`;
+    ids.set(localId, { gid, method, path, status: null });
+    hooks.onRequestStart?.(gid, { method, path });
+    if (accountName) hooks.onRequestRouted?.(gid, { account: accountName });
+  }
+
+  return {
+    req(id, fields) { start(id, get(fields, ':method'), get(fields, ':path')); },
+    reqHead(id, text) {
+      const parts = text.split('\r\n')[0].split(' ');
+      start(id, (parts[0] || '').toUpperCase(), parts[1] || '');
+    },
+    reqData() {},
+    res(id, fields) { const r = ids.get(id); if (r) r.status = get(fields, ':status'); },
+    resHead(id, text) { const r = ids.get(id); if (r) r.status = text.split('\r\n')[0].split(' ')[1] || ''; },
+    resData() {},
+    end(id) {
+      const r = ids.get(id);
+      if (!r) return;
+      ids.delete(id);
+      hooks.onRequestEnd?.(r.gid, { method: r.method, path: r.path, account: accountName, status: r.status });
+    },
+  };
+}
+
+// Fan one relay's tap callbacks out to several taps (disk + TUI activity).
+// Returns null if none are live, the single tap if only one is, else a proxy.
+export function combineTaps(...taps) {
+  const live = taps.filter(Boolean);
+  if (live.length <= 1) return live[0] || null;
+  const fan = (m) => (...a) => { for (const t of live) t[m]?.(...a); };
+  return {
+    req: fan('req'), reqHead: fan('reqHead'), reqData: fan('reqData'),
+    res: fan('res'), resHead: fan('resHead'), resData: fan('resData'), end: fan('end'),
+  };
+}

package/src/server.js

@@ -1,6 +1,11 @@
 import http from 'node:http';
-import { writeFile, mkdir } from 'node:fs/promises';
+import { createWriteStream } from 'node:fs';
+import { mkdir } from 'node:fs/promises';
 import { join } from 'node:path';
+import { ensureCerts, createConnectHandler } from './mitm.js';
+import { patchAccountUuid } from './account-uuid-rewrite.js';
+import { BodyWriter } from './request-log.js';
+import { upstreamFetch } from './upstream-fetch.js';
 
 
 const HOP_BY_HOP_HEADERS = new Set([
@@ -8,7 +13,7 @@ const HOP_BY_HOP_HEADERS = new Set([
   'te', 'trailer', 'upgrade', 'proxy-authorization', 'proxy-authenticate',
 ]);
 
-export function createProxyServer(accountManager, config, hooks = {}) {
+export function createProxyServer(accountManager, config, hooks = {}, sx = null) {
   const upstream = config.upstream || 'https://api.anthropic.com';
   const proxyApiKey = config.proxy?.apiKey;
   const logDir = config.logDir || null;
@@ -18,9 +23,9 @@ export function createProxyServer(accountManager, config, hooks = {}) {
     mkdir(logDir, { recursive: true }).catch(() => {});
   }
 
-  const server = http.createServer(async (req, res) => {
+  const requestHandler = async (req, res) => {
     try {
-      // Auth check — skip for localhost connections
+      // Auth check — skip for localhost connections.
       const clientKey = req.headers['x-api-key'];
       const remoteAddr = req.socket.remoteAddress;
       const isLocal = remoteAddr === '127.0.0.1' || remoteAddr === '::1' || remoteAddr === '::ffff:127.0.0.1';
@@ -40,11 +45,31 @@ export function createProxyServer(accountManager, config, hooks = {}) {
         return;
       }
 
+      // Reload endpoint — re-sync accounts from config without a restart. This
+      // is the headless equivalent of pressing 'R' in the TUI. Local control
+      // only (no upstream calls); the auth gate above already applies.
+      if (req.method === 'POST' && req.url === '/teamclaude/reload') {
+        if (!hooks.reload) {
+          res.writeHead(501, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ ok: false, error: 'reload not supported' }));
+          return;
+        }
+        try {
+          const added = await hooks.reload();
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ ok: true, added: added || 0 }));
+        } catch (err) {
+          res.writeHead(500, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ ok: false, error: err.message }));
+        }
+        return;
+      }
+
       // Let client token refresh requests pass through to upstream untouched.
       // The proxy manages its own tokens via ensureTokenFresh(); intercepting
       // or rewriting client refreshes would cause token rotation conflicts.
       if (req.method === 'POST' && req.url === '/v1/oauth/token') {
-        await relayRaw(req, res, upstream);
+        await relayRaw(req, res, upstream, sx);
         return;
       }
 
@@ -59,9 +84,9 @@ export function createProxyServer(accountManager, config, hooks = {}) {
       }
       const body = Buffer.concat(bodyChunks);
 
-      const ctx = { account: null, status: null };
+      const ctx = { account: null, status: null, tried: new Set() };
       try {
-        await forwardRequest(req, res, body, accountManager, upstream, 0, hooks, reqId, ctx, logDir);
+        await forwardRequest(req, res, body, accountManager, upstream, 0, hooks, reqId, ctx, logDir, sx);
       } catch (err) {
         ctx.status = ctx.status || 502;
         console.error('[TeamClaude] Unhandled error:', err);
@@ -81,7 +106,23 @@ export function createProxyServer(accountManager, config, hooks = {}) {
     } catch (err) {
       console.error('[TeamClaude] Unhandled error:', err);
     }
-  });
+  };
+
+  const server = http.createServer(requestHandler);
+
+  // Forward-proxy support (always on, so multiple claude instances can use
+  // either ANTHROPIC_BASE_URL or HTTPS_PROXY against the same server). A CONNECT
+  // to the upstream host is a transparent MITM relay (rewrite only auth); the
+  // test host is answered locally; anything else is blind-tunneled. Certs are
+  // minted lazily on the first intercepted CONNECT.
+  const mitmHost = (() => { try { return new URL(upstream).hostname; } catch { return 'api.anthropic.com'; } })();
+  let certsPromise = null;
+  const ensureLeaf = async () => {
+    certsPromise ||= ensureCerts(mitmHost);
+    const c = await certsPromise;
+    return { key: c.leafKeyPem, cert: c.leafCertPem };
+  };
+  server.on('connect', createConnectHandler({ config, accountManager, ensureLeaf, logDir, hooks, log: console.error, sx }));
 
   return server;
 }
@@ -89,13 +130,13 @@ export function createProxyServer(accountManager, config, hooks = {}) {
 /**
  * Relay a request to upstream with no header rewriting — pure passthrough.
  */
-async function relayRaw(req, res, upstream) {
+async function relayRaw(req, res, upstream, sx) {
   const bodyChunks = [];
   for await (const chunk of req) bodyChunks.push(chunk);
   const body = Buffer.concat(bodyChunks);
 
   try {
-    const upstreamRes = await fetch(`${upstream}${req.url}`, {
+    const upstreamRes = await upstreamFetch(`${upstream}${req.url}`, {
       method: req.method,
       headers: {
         'content-type': req.headers['content-type'] || 'application/json',
@@ -103,7 +144,7 @@ async function relayRaw(req, res, upstream) {
         'user-agent': req.headers['user-agent'] || 'node',
       },
       body: body.length > 0 ? body : undefined,
-    });
+    }, sx, sx?.useByDefault());
 
     const responseBody = await upstreamRes.text();
     const responseHeaders = {};
@@ -129,15 +170,28 @@ function logTimestamp() {
   return `${d.getFullYear()}${pad(d.getMonth() + 1)}${pad(d.getDate())}_${pad(d.getHours())}${pad(d.getMinutes())}${pad(d.getSeconds())}.${pad(d.getMilliseconds(), 3)}`;
 }
 
-async function writeRequestLog(logDir, reqId, sections) {
-  if (!logDir) return;
-  const ts = logTimestamp();
-  const filename = `${ts}_${String(reqId).padStart(5, '0')}.log`;
-  try {
-    await writeFile(join(logDir, filename), sections.join('\n\n'), 'utf-8');
-  } catch (err) {
-    console.error(`[TeamClaude] Failed to write log: ${err.message}`);
-  }
+// A per-request log that streams to disk as the request/response flow, instead
+// of buffering the whole body in memory and writing once at the end. The file
+// is opened on first write; header sections are written verbatim and bodies are
+// streamed through BodyWriter (JSON pretty-printed on the fly, SSE/other raw),
+// so even a ~1M-token response costs only the current chunk.
+function openRequestLog(logDir, reqId) {
+  const filename = `${logTimestamp()}_${String(reqId).padStart(5, '0')}.log`;
+  const ws = createWriteStream(join(logDir, filename), { flags: 'a' });
+  ws.on('error', (err) => console.error(`[TeamClaude] Failed to write log: ${err.message}`));
+  let ended = false;
+  const write = (s) => { if (!ended && s) ws.write(Buffer.from(String(s), 'latin1')); };
+  return {
+    write,
+    // Stream a complete body buffer under a section header.
+    body(label, buf, contentType) {
+      if (!buf || !buf.length) { write(`\n\n=== ${label} ===\n(empty)`); return; }
+      new BodyWriter(write, label, contentType || '').chunk(buf);
+    },
+    // A BodyWriter to append chunks incrementally (e.g. an SSE response).
+    bodyWriter(label, contentType) { return new BodyWriter(write, label, contentType || ''); },
+    end() { if (!ended) { ended = true; ws.end('\n'); } },
+  };
 }
 
 function formatHeaders(headers) {
@@ -147,11 +201,14 @@ function formatHeaders(headers) {
   return Object.entries(headers).map(([k, v]) => `  ${k}: ${v}`).join('\n');
 }
 
-async function forwardRequest(req, res, body, accountManager, upstream, retryCount, hooks, reqId, ctx, logDir) {
+async function forwardRequest(req, res, body, accountManager, upstream, retryCount, hooks, reqId, ctx, logDir, sx, useSx) {
   const maxRetries = accountManager.accounts.length;
+  // Whether THIS attempt dials via sx.org. Undefined on the first call → derive
+  // from the default policy ('always' routes; 'off'/'429' start direct).
+  const route = useSx === undefined ? !!(sx?.useByDefault()) : useSx;
 
-  // Select account
-  const account = accountManager.getActiveAccount();
+  // Select account, skipping any already tried (and failed) this request.
+  const account = accountManager.getActiveAccount(ctx.tried);
   if (!account) {
     ctx.status = 429;
     ctx.account = '(none available)';
@@ -178,7 +235,8 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
   // Refresh OAuth token if needed
   await accountManager.ensureTokenFresh(account.index);
   if (account.status === 'error' && retryCount < maxRetries) {
-    return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
+    ctx.tried.add(account.index);
+    return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir, sx, route);
   }
 
   // Build upstream request headers
@@ -203,36 +261,34 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
   const upstreamUrl = `${upstream}${req.url}`;
   const method = req.method;
 
-  // Build log sections
-  const logSections = [];
-  if (logDir) {
+  // Align the body's account_uuid (in metadata.user_id) with the account whose
+  // token we're injecting (same-length patch; no-op if absent).
+  const sendBody = account.accountUuid ? patchAccountUuid(body, account.accountUuid) : body;
+
+  // Streaming request log, opened lazily on the first terminal outcome (a
+  // pure-429-then-retry attempt writes no file, matching prior behavior). The
+  // request head+body are written once, just before the response is logged.
+  let log = null;
+  let reqLogged = false;
+  const getLog = () => (logDir ? (log ||= openRequestLog(logDir, reqId)) : null);
+  const logRequestHead = () => {
+    const l = getLog();
+    if (!l || reqLogged) return;
+    reqLogged = true;
     const safeHeaders = { ...headers };
-    // Mask credentials in logs
-    if (safeHeaders['x-api-key']) {
-      safeHeaders['x-api-key'] = safeHeaders['x-api-key'].slice(0, 15) + '...';
-    }
-    if (safeHeaders['authorization']) {
-      safeHeaders['authorization'] = safeHeaders['authorization'].slice(0, 20) + '...';
-    }
-    logSections.push(
-      `=== REQUEST (account: ${account.name}, retry: ${retryCount}) ===\n${method} ${upstreamUrl}\n${formatHeaders(safeHeaders)}`,
-    );
-    if (body.length > 0) {
-      try {
-        logSections.push(`=== REQUEST BODY ===\n${JSON.stringify(JSON.parse(body.toString()), null, 2)}`);
-      } catch {
-        logSections.push(`=== REQUEST BODY (${body.length} bytes) ===\n${body.toString().slice(0, 4096)}`);
-      }
-    }
-  }
+    if (safeHeaders['x-api-key']) safeHeaders['x-api-key'] = safeHeaders['x-api-key'].slice(0, 15) + '...';
+    if (safeHeaders['authorization']) safeHeaders['authorization'] = safeHeaders['authorization'].slice(0, 20) + '...';
+    l.write(`=== REQUEST (account: ${account.name}, retry: ${retryCount}) ===\n${method} ${upstreamUrl}\n${formatHeaders(safeHeaders)}`);
+    if (body.length > 0) l.body('REQUEST BODY', body, req.headers['content-type']);
+  };
 
   try {
-    const upstreamRes = await fetch(upstreamUrl, {
+    const upstreamRes = await upstreamFetch(upstreamUrl, {
       method,
       headers,
-      body: ['GET', 'HEAD'].includes(method) ? undefined : body,
+      body: ['GET', 'HEAD'].includes(method) ? undefined : sendBody,
       redirect: 'manual',
-    });
+    }, sx, route);
 
     // Extract rate limit headers
     const rateLimitHeaders = {};
@@ -244,26 +300,51 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
     accountManager.updateQuota(account.index, rateLimitHeaders);
 
     // On 429, wait the retry-after duration and retry on the same account
-    // (this is a transient rate limit, not quota exhaustion)
+    // (this is a transient rate limit, not quota exhaustion).
     if (upstreamRes.status === 429) {
-      const retryAfter = parseInt(upstreamRes.headers.get('retry-after'), 10) || 60;
+      // Clamp Retry-After to a sane window: missing/invalid falls back to 60s,
+      // and out-of-range values are bounded to [1, 300]. A negative value would
+      // otherwise bypass the retry cap — setTimeout returns immediately and
+      // markRateLimited would set rateLimitedUntil in the past.
+      let retryAfter = parseInt(upstreamRes.headers.get('retry-after'), 10);
+      if (Number.isNaN(retryAfter)) retryAfter = 60;
+      retryAfter = Math.min(Math.max(retryAfter, 1), 300);
       // Discard the 429 response body
       await upstreamRes.body?.cancel();
 
-      if (logDir) {
-        logSections.push(`=== RESPONSE 429 — waiting ${retryAfter}s ===\n${formatHeaders(upstreamRes.headers)}`);
+      // sx.org failover: 429s are IP-based, so retry via the proxy's egress IP.
+      // 'always' is already on sx; '429' switches direct→sx now and skips the
+      // wait (a fresh IP isn't throttled). Also arm the sticky window for MITM.
+      const nextUseSx = !!(sx?.useOn429());
+      const switchingToSx = nextUseSx && !route;
+      sx?.noteRateLimited(retryAfter);
+
+      // Bound the retries: a persistently-throttled upstream must not loop
+      // forever (that would tie up the client connection indefinitely).
+      // Once retries are exhausted, throttle this account and re-dispatch —
+      // getActiveAccount then picks another account, or returns 429 to the
+      // client if every account is throttled.
+      if (retryCount >= maxRetries) {
+        console.log(`[TeamClaude] Persistent 429 on "${account.name}" — throttling ${retryAfter}s and re-dispatching`);
+        accountManager.markRateLimited(account.index, retryAfter);
+        return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir, sx, nextUseSx);
+      }
+
+      if (switchingToSx) {
+        console.log(`[TeamClaude] 429 on "${account.name}" — retrying via sx.org (fresh egress IP)`);
+      } else {
+        console.log(`[TeamClaude] 429 on "${account.name}" — waiting ${retryAfter}s before retry`);
+        await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
       }
-      console.log(`[TeamClaude] 429 on "${account.name}" — waiting ${retryAfter}s before retry`);
-      await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
       // Client may have disconnected during the wait
       if (res.destroyed) return;
-      return forwardRequest(req, res, body, accountManager, upstream, retryCount, hooks, reqId, ctx, logDir);
+      return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir, sx, nextUseSx);
     }
 
-    // Log response headers
-    if (logDir) {
-      logSections.push(`=== RESPONSE ${upstreamRes.status} ===\n${formatHeaders(upstreamRes.headers)}`);
-    }
+    // Log the request head (once) followed by the response headers, streaming
+    // to disk from here on.
+    logRequestHead();
+    getLog()?.write(`\n\n=== RESPONSE ${upstreamRes.status} ===\n${formatHeaders(upstreamRes.headers)}`);
 
     ctx.status = upstreamRes.status;
 
@@ -279,43 +360,35 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
     res.writeHead(upstreamRes.status, responseHeaders);
 
     if (!upstreamRes.body) {
-      if (logDir) {
-        logSections.push(`=== RESPONSE BODY ===\n(empty)`);
-        writeRequestLog(logDir, reqId, logSections);
-      }
+      const l = getLog();
+      if (l) { l.write('\n\n=== RESPONSE BODY ===\n(empty)'); l.end(); }
       res.end();
       return;
     }
 
-    const isStreaming = (upstreamRes.headers.get('content-type') || '').includes('text/event-stream');
+    const contentType = upstreamRes.headers.get('content-type') || '';
+    const isStreaming = contentType.includes('text/event-stream');
 
     if (isStreaming) {
-      const streamLog = logDir ? [] : null;
-      await streamResponse(upstreamRes.body, res, account.index, accountManager, streamLog);
-      if (logDir) {
-        logSections.push(`=== RESPONSE BODY (streamed) ===\n${streamLog.join('')}`);
-        writeRequestLog(logDir, reqId, logSections);
-      }
+      // Stream each chunk straight to the log as it is relayed — never hold the
+      // whole (potentially ~1M-token) SSE body in memory.
+      const l = getLog();
+      const bw = l ? l.bodyWriter('RESPONSE BODY (streamed)', contentType) : null;
+      await streamResponse(upstreamRes.body, res, account.index, accountManager, bw);
+      l?.end();
     } else {
       const buf = Buffer.from(await upstreamRes.arrayBuffer());
       extractUsageFromBody(buf, account.index, accountManager);
-      if (logDir) {
-        try {
-          logSections.push(`=== RESPONSE BODY ===\n${JSON.stringify(JSON.parse(buf.toString()), null, 2)}`);
-        } catch {
-          logSections.push(`=== RESPONSE BODY (${buf.length} bytes) ===\n${buf.toString().slice(0, 8192)}`);
-        }
-        writeRequestLog(logDir, reqId, logSections);
-      }
+      const l = getLog();
+      if (l) { l.body('RESPONSE BODY', buf, contentType); l.end(); }
       res.end(buf);
     }
   } catch (err) {
     console.error(`[TeamClaude] Upstream error (account "${account.name}"):`, err.message);
 
-    if (logDir) {
-      logSections.push(`=== ERROR ===\n${err.stack || err.message}`);
-      writeRequestLog(logDir, reqId, logSections);
-    }
+    logRequestHead();
+    const l = getLog();
+    if (l) { l.write(`\n\n=== ERROR ===\n${err.stack || err.message}`); l.end(); }
 
     const isTransient = err instanceof Error &&
       (err.message.includes('fetch failed') ||
@@ -328,9 +401,14 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
       return;
     }
 
+    // Any other thrown error is a transport/stream failure, NOT proof the
+    // account's credentials are bad — a bad credential comes back as a 401
+    // *response*, never a throw. So don't sideline the account (that would drop
+    // a healthy account from rotation until a credential change). Instead skip
+    // it for the rest of THIS request only and fail over to another account.
     if (retryCount < maxRetries && !res.headersSent) {
-      account.status = 'error';
-      return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir);
+      ctx.tried.add(account.index);
+      return forwardRequest(req, res, body, accountManager, upstream, retryCount + 1, hooks, reqId, ctx, logDir, sx, route);
     }
     ctx.status = 502;
 
@@ -347,7 +425,7 @@ async function forwardRequest(req, res, body, accountManager, upstream, retryCou
 /**
  * Stream an SSE response to the client, parsing usage data along the way.
  */
-async function streamResponse(webStream, res, accountIndex, accountManager, streamLog) {
+async function streamResponse(webStream, res, accountIndex, accountManager, bodyWriter) {
   const reader = webStream.getReader();
   const decoder = new TextDecoder();
   let sseBuffer = '';
@@ -363,10 +441,10 @@ async function streamResponse(webStream, res, accountIndex, accountManager, stre
       // Forward chunk immediately
       const ok = res.write(value);
 
-      const text = decoder.decode(value, { stream: true });
+      // Append to the log as it streams (no whole-body buffering)
+      if (bodyWriter) bodyWriter.chunk(Buffer.from(value));
 
-      // Capture for logging
-      if (streamLog) streamLog.push(text);
+      const text = decoder.decode(value, { stream: true });
 
       // Parse SSE events for usage tracking
       sseBuffer += text;